Friday, September 3, 2010

Managing Access from the Internet to DoD

Internet is connected to DoD addresses via intermediate network devices known as routers. A router is a special-purpose dedicated computer that makes connections when it receives a transmission from one of its incoming Internet links, takes a routing decision, and then forwards that packet to one of its outgoing links. The routing decision is made based on the current state of the connecting links as well as on the priorities that have been attributed to the various links in order to make the selection of the next connection efficient. Each router uses a routing table, consisting of the Border Gateway Protocol (BGP), to keep track of the path taken to the next network destination.  Consequently, routing tables will never remain static, but will be changing dynamically as conditions change in real time.

Pictures of CISCO Network Routers

There are thousands of routers on the Internet path to DoD network devices. The routing tables consist of BGP files located in rapid access files on a router. These tables store the routes and metrics directing the selection of a particular network IP destination. The tables are updated, in real time, about the conditions of all mediating network connections. A unique Autonomous Systems Number (ASN) has been allocated to each network, which ultimately leads transactions to every DoD location. As of July 2009 there were 320,000 BGP prefix numbers have been issued for connections between networks. Each router then attaches suffix numbers for designating its proximate connections.

The management of routing tables is automated for instant adaptation and for assuming additional functions, such as performing security operations in which reverse path verification is sometimes feasible.

Routers connect communication packets between the IP address of the origin of a message and its final destination, which in the case of DoD would be millions of addresses. When the router receives an incoming packet, it passes it to the next router, defined as a “hop” to which a packet should be forwarded. The next router then repeats this process, and so on until each packet reaches its final destination, often after eight to twenty “hops”.

This entire process is based on the information in the routing tables that are stored in the router. Any corruption of any one table on the path from origin to destination will lead to network malfunctions. Tampering with the routing tables makes it a preferred attack target. If the routing recalculations are maliciously modified the routing table will contain wrong entries that will corrupt an Internet-mediated transaction. Since there are thousands of routers directing traffic to DoD, the proliferation of routing tables on its path, always managed by third parties, continues to make DoD vulnerable.

The primary source of vulnerability of routing protocols is the lack of verification of routing information obtained from proximate routers. Each router must obtain information from other routers to form a database that reflects its surrounding network topology. Each router periodically exchanges data with neighbors about their status. However the routers cannot verify the correctness of the data they receive. Injected false routing information will propagate from one router to another thus compromising the integrity of all routers along a given path. The DoD vulnerability is therefore magnified by the multiple “hops” that take place across several routers from origin to destination.

To attack routers a hostile source requires information about how the network is configured and where the routers are logically located. It is easy is to find the default IP values, which report the destination addresses on a network path. There are numerous commercial trace route software programs available to do that. There are also other attack tools, which are available either from commercial sources or as software that is under development by increasingly sophisticated information warfare organization.

Summary

One way of assuring DoD security is to allow the DoD network IP addresses to be accessible only through a limited (or only one) BGP routing table. This would force all incoming DoD traffic to obtain its addresses exclusively from a DoD owned and DoD operated computer. Outsiders would be unable to scan DoD IP addresses for the purpose of launching an attack.

Forcing access to DoD exclusively through DoD managed routing tables represents a challenge and would call for reconfiguration of its network topology.  The result would be an increase in controls over the handling of every bit of incoming traffic.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com